|Version||1.8.10p3-1+deb8u9 (jessie), 1.8.19p1-2.1+deb9u5 (stretch)|
Matthieu Barjole and Victor Cutillas discovered that sudoedit in sudo, a program designed to provide limited super user privileges to specific users, does not properly handle ‘–’ to separate the editor and arguments from files to edit. A local user permitted to edit certain files can take advantage of this flaw to edit a file not permitted by the security policy, resulting in privilege escalation.
For Debian 8 jessie, these problems have been fixed in version 1.8.10p3-1+deb8u9.
For Debian 9 stretch, these problems have been fixed in version 1.8.19p1-2.1+deb9u5.
We recommend that you upgrade your sudo packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.